Logo and page links

Main menu

Secure Practice – exit report

Who is responsible for complying with privacy regulations?

Assessments of the various roles in the usage phase

A question that emerged early on in the sandbox project was how responsibility should be divided between Secure Practice and their clients. The background to the question was that Secure Practice themselves entered the project with a desire to avoid the client (i.e. the employer) gaining access to individual risk profiles of employees, as a privacy measure to safeguard employees. Secure Practice was nevertheless in doubt about whether it was possible to guarantee this in practice, even if they could implement technical measures in the solution to prevent the client from gaining access to such data.

In other services, Secure Practice has examined its own role as a processor and drawn up ordinary data processing agreements with the client. The client will then be the data controller and decides how the personal data is going to be used. In its role as a processor, Secure Practice is obliged to disclose all personal data the client wants to gain access to. An inherent risk of such a division of responsibility in the new service is that Secure Practice cannot decline to disclose personal data on individual employees to the employers, even in the event of suspicion that the data will be used for other purposes (for example to influence salary levels or bonus payments).

In collaboration with Secure Practice, the Norwegian Data Protection Authority researched the consequences of various divisions of responsibility, and an alternative solution involving joint processing responsibility was suggested. Secure Practice wishes to withhold personal data from their clients. By withholding data from their clients they have a crucial influence on the processing of this personal data which extends beyond their role as processor. This means that Secure Practice and the client jointly determines the purposes and means of the processing of the employees’ personal data.

In its guidelines, the European Data Protection Board refers to a distinction between “essential” and “non-essential” means. Section 40 of the guidelines links “essential” means to the choices that are transferred to the data controller. As stated in the guidelines there is a close connection between what constitutes “essential means” and the issue of whether the processing is legal, necessary and proportionate. “Non-essential” means are linked to practical implementation, for example security measures.

To minimise the employer’s access to the employee’s personal data can be seen as a means to reducing privacy disadvantages. In the assessment of the legal basis and therefore of whether or not the tool is legal, the privacy disadvantages are relevant, see point 4.2 below.

European Court of Justice case law shows that parties can become joint data controllers, even if the processing of personal data is not evenly divided between the parties or the client does not have access to the personal data that is being processed. This might be the case where the service processes the personal data for its own purposes, and this processing can be carried out only because the client facilitates such processing by choosing the service.

According to the way the service is outlined in the sandbox project, Secure Practice’s processing of personal data will only be possible because the client uses the service. Secure Practice processes this personal data by preventing personal data on each individual employee from being disclosed to the client. Withholding personal data from the client accordingly creates a joint processing responsibility between Secure Practice and their clients.

The purpose of organising the processing with joint processing responsibility is to ensure that the division of responsibility reflects the actual role that Secure Practice undertakes in the individual processing situations. This means that there is no change in the processes where Secure Practice actually acts as a processor and processes personal data on behalf of the client. However, where the processing is not exclusively done on behalf of the client, the GDPR requires the parties to identify this.

Secure Practice and the individual client must map the processes where they jointly determine the purposes and means of the processing so that they determine responsibility among themselves in a transparent manner. A transparent determination of responsibility between Secure Practice and their clients is intended to prevent the diffusion of responsibility between the companies when employees seek to exercise their rights under GDPR.

The allocation of responsibility can take place through a contract or other document between the client and Secure Practice. Regardless of how this is arranged between Secure Practice and the client it must be communicated outwardly so that employees are aware of how they can request access to their personal data and exercise their rights in accordance with GDPR.

Artificial intelligence in three phases

We often divide artificial intelligence into three phases: development, usage and learning. The question of data protection arises in all phases.

The development phase: Machine learning is sometimes used to gain insight into large data quantities, insight that can in turn be used to develop new solutions. For example, Secure Practice has carried out an analysis of emails to find out what characteristics are particularly present in suspicious emails. These findings could then be turned into artificial intelligence to detect harmful emails, through specific patterns that developers incorporate into the software.

Usage phase: Machine learning can also be used to discover new connections in real time, without humans needing to be involved in the process. In other words, the degree of automation here will be high, unlike the development phase, although it may otherwise be very similar. Secure Practice already uses machine learning in real time in its MailRisk service, without humans being involved, to identify and classify hitherto unseen scams and cyber-attacks that spam filters have been unable to stop.

Learning phase: This is more similar to the development phase, but generally with more data available, particularly data on the results after the system has done its job. Learning can be crucial for verifying or improving correctness in a machine learning model. This applies in particular to conditions that change over time, such as fraud methods used in malicious emails. Learning is also relevant for complex conditions, such as safety attitudes among the company's employees.

Secure Practice has not used personal data in the development phase of the service to which the project applies. It has therefore been decided to focus this project on the usage phase which illustrates the specific challenges in the workplace most clearly. We have also briefly discussed learning at various points, to illustrate that machine learning is a continuous process.

Assessments of the various roles in the learning phase

The use of personal data for learning to improve one’s own products is, unlike the other processing, primarily of interest to Secure Practice, although their customers may also benefit from the results of such learning.

Secure Practice determines the purposes and means of this processing. The learning could therefore not be carried out without the personal data used in the service.

To ensure that Secure Practice has the sole processing responsibility for the learning phase, controls should be established in the user interface so that the client can prevent the use of personal data for this purpose. This separation ensures that there is no lack of clarity about when Secure Practice is acting as a controller and when the company is acting as a data processor. Furthermore, the information on the processing should be clearly presented to clients who wish to use this functionality.